Four Trends in Eastern European Cybercrime

Arrest in Russia on Nov. 22, 2016, as part of an investigation into Cron Android malware. (Source: Group-IB)

Russia takes a lot of blame for cybercrime. It's an easy target these days, given the accusations of alleged Russian government hacking aimed at influencing last year's U.S. presidential election. There are reasons why Russian hackers have ascended: They're smart, well-educated and often turn to the underground for a lack of better economic opportunities.

It's also an ever-evolving scene. At the AusCERT security conference in Gold Coast, Australia, on Friday, Tim Bobak, international business director for Moscow-based Group-IB, walked through trends that cybersecurity company is seeing.

Group-IB does a lot of incident response work and reverse engineering of malware, giving insight into what's going on in the Eastern Europe region, says Bobak, a fluent Russian speaker who splits his time between Russia and the U.K. Some trends defy conventional wisdom.

Here are four Eastern European cybercrime trends that defy conventional wisdom as described by Bobak at the conference.

Real Cybercriminals Hate Ransomware

Ransomware has become the No. 1 scourge on the Internet, particularly after WannaCry, the ransomware with worm-like capabilities that infected more than 200,000 computers worldwide (see Teardown: WannaCry Ransomware).

But the scam isn't being looked upon favorably by some cybercriminals, Bobak says. In fact, some are quite annoyed by it, according to Russian-speaking hacking forums monitored by Group-IB.

"They're discussing not how to do ransomware, but they're talking about how to ban ransomware in the forums," Bobak says. "They're basically having adult conversations about what ransomware is doing for the cybercrime community, how they should react to it, whether they should, for example, institute a ban on it because it is drawing too much international law enforcement attention to cybercrime as a whole."

Russian Law Enforcement Cares

To the irritation of the U.S., Russia won't turn over suspects related to U.S. cybercrime investigations. The countries don't have an extradition treaty. But that isn't a sign that Russia doesn't care about cybercrime, Bobak says.

Russian financial institutions are hit just as hard as others by cybercrime, and those companies work with Russian law enforcement. Group-IB said earlier this week it assisted with an investigation that resulted in the arrests of 16 people last November for allegedly using the "Cron" Android malware to drain bank accounts of more than $800,000.

"[Russian] law enforcement does actually care," Bobak says. "It doesn't get out into the press much because generally no one cares if Russian attackers are arrested in Russia. But it is taking place, and it again needs to be part of this broader conversation."

U.K.-Russian Cooperation Lacking

In addition, there's almost no cooperation between U.K. and Russian law enforcement on cybercrime. The U.K. stopped doing joint investigations with Russia around 2006 after the former FSB agent, Alexander Litvinenko, was poisoned with radioactive polonium-210 at a sushi restaurant in central London. But Bobak says that it is hurting the investigation of cybercrime.

"There's been a period in the U.K. of at least 11 years when nothing has really happened on a constructive basis," he says. "And that's deeply worrying. It's shocking that's still the situation."

ATM Cashouts Viewed as Risky

Last July, $2.2 million was stolen from dozens of ATMs in Taiwan using malicious software. The ATMs were "jackpotted," or relieved of all of their cash, a once-theoretical attack that is now very real (see Taiwan Heist Highlights ATM Weaknesses).

But while impressive, the attacks carry a lot of risks: Money mules have to be on call to collect the cash, and then it has to be ferreted out of the country. It's an operation with a lot of human touch points.

In December, Taiwan sentenced three Eastern European money mules, although another 19 people believe to be connected with the operation left the country, according to the BBC. As a result, one the main groups connected with ATM cashout operations, called Cobalt in a Group-IB report, seems to be moving on.

Now, they're infiltrating the banks' networks and removing the anti-fraud controls and cashout limits around a batch of say, 30 payment cards. Then, those cards are taken to ATMs in places where there's less of a chance of getting caught.

"Where previously, for example in Taiwan, they had to be in the country, now you can sit at home, go and find ATMs that don't have security cameras or go to a country that doesn't have an extradition treaty, do all the cash out there and then launder it back in the country," Bobak says. "I'm fairly confident some way around this will be found."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.